““Implementation of Healthcare Implementation of Healthcare Reform and HIT Implementation Reform and HIT Implementation

on Health Care Providers”on Health Care Providers”

Oct. 14, 2010 Oct. 14, 2010 George Washington Hospital - Washington, George Washington Hospital - Washington,

DCDC

Randi Kopf, RN, MS, JDRandi Kopf, RN, MS, JDKopf HealthLaw, LLCKopf HealthLaw, LLC

Rockville, MarylandRockville, Maryland

www.kopfhealthlaw.com www.kopfhealthlaw.com 301-251-2788301-251-2788

Randi Kopf, RN, MS, JD is the founding and principal attorney of Kopf HealthLaw, LLC, a general health law practice. Ms. Kopf has over 30 years of professional experience and serves as general and health counsel for individual physicians, medical groups, national and regional medical and allied health associations, healthcare practitioners and entities locally and across the country, as well as, certain patient matters. Her practice assists clients with corporate matters such as incorporation, practice structuring, medical practice acquisition and sale, employee agreements and employment related matters, e-medicine and e-law issues, managed care contracting and negotiations and professional grievance matters. Ms. Kopf provides advice regarding regulatory and legislative matters, practice Compliance plans, the application of federal and state legislation, fraud and abuse issues, HIPAA, Stark, Medicare, health insurance matters and the new HealthCare Reform legislation. She is an invited member of the Maryland Attorney Grievance Commission Peer Review Panel and has served on the Maryland Health Care Commission EDI/HIPAA task force that developed nationally accepted privacy guideline tools.

Ms. Kopf has provided legal support for several U.S. Congressional health care bills and advocated on behalf of physicians before the US Attorney’s Health Care Fraud Task Force. She has been a sought after speaker for national and state conferences on medical legal topics. Ms. Kopf has extensive teaching experience and has held instructor and faculty positions at Georgetown University, the University of Maryland and Adelphi University. Her published work includes Compliance Program Guide, Before You Sign … Managed Care Contract Review for Health Care Providers, and The Nursing Handbook of Physical Assessment. She served as editor and contributor for the Business and Legal Guidebook for Nurse Practitioners published by The American Association of Nurse Attorneys, (TAANA). The American Bar Association, in their Health Lawyer Journal, published her article, “Antitrust Enforcement: How Medical Practices Feel the Effects”. Ms. Kopf has been a frequent contributor to professional journals. She has been an editor and contributing author for the Journal of Nursing Law. She serves on the Board of Advisors and contributor to Managed Care Contract Negotiator and Health Information Compliance Insider as well as contributing to Medicare Compliance Alert, Medical Economics, BNA E-Health Reporter and other professional publications. Ms. Kopf has been frequent lecturer for Bar and other professional associations

Ms. Kopf received a B.S. from Cornell University, a B.S. and M.S. degree from the State University of New York at Stony Brook School of Nursing, and a J.D. degree from the University of Maryland School of Law. She is admitted to practice law in Maryland, the District of Columbia and the United Sates Supreme Court. Ms Kopf was Board certified as a Family Nurse Practitioner for over 25 years. She has received recognition by Who’s Who in American Medicine and Health Care, Who’s Who of American Women, Who’s Who in American Nursing and received the Cornell University Alumni Award for Outstanding Volunteerism, the National Distinguished Service Award in Nursing and the Distinguished Service Award for TAANA. Ms. Kopf is a member of the American Bar Association, American Health Lawyers Association, TAANA, Maryland (MSBA) and District of Columbia Bar, Montgomery County Bar Association (former Chair of the Health law section) and Special Technology Section of the MSBA. She serves as a Member of the Board of Directors and former Officer of TAANA, President of the Chesapeake Nurse Attorneys, Inc. and has been recognized as a “Super Lawyer” in healthcare law in Maryland and Washington, DC in 2007- 2010.

SPEAKER BIO

DISCLAIMERDISCLAIMER

This information is being This information is being provided as general education provided as general education

for informational purposes for informational purposes only and not for the purpose only and not for the purpose

of providing legal advice. of providing legal advice. Although it was prepared by a Although it was prepared by a

professional it is not to be professional it is not to be utilized as a substitute for utilized as a substitute for

personal legal counsel.personal legal counsel.

Healthcare Reform (ACA), Healthcare Reform (ACA), HITECH Act and Your PracticeHITECH Act and Your Practice

Reformation of system incorporating preventive, Reformation of system incorporating preventive, holistic care that benefits the patients, families and holistic care that benefits the patients, families and society overallsociety overall

Patient protective legislation – more covered services Patient protective legislation – more covered services (H&P), coverage for children w/ pre-existing illness, (H&P), coverage for children w/ pre-existing illness, previously uninsured, people with expensive medical previously uninsured, people with expensive medical conditions, health insurance boundariesconditions, health insurance boundaries

Interdisciplinary provider networks to provide team Interdisciplinary provider networks to provide team approach care (Medical Homes)approach care (Medical Homes)

Payment shift from procedures to outcomePayment shift from procedures to outcome Lower covered fees for certain specialtiesLower covered fees for certain specialties Bonus payments for better patient outcomes Bonus payments for better patient outcomes Bonus payments to qualified primary care practicesBonus payments to qualified primary care practices

Healthcare Reform (ACA), Healthcare Reform (ACA), HITECH Act and Your PracticeHITECH Act and Your Practice

Use of HIT to further administrative, Use of HIT to further administrative, societal and best medical practices goals societal and best medical practices goals Federal PHI data collection Federal PHI data collection

EHR and electronic claims filings will be EHR and electronic claims filings will be mandatorymandatory Eligible Providers (EP) can apply for EHR grant Eligible Providers (EP) can apply for EHR grant

money money Increased provider monitoring, evidence Increased provider monitoring, evidence

based protocols, practices and limited based protocols, practices and limited medical formulariesmedical formularies

Compliance plans are mandatory Compliance plans are mandatory Increased provider and practice liabilities Increased provider and practice liabilities

no tort reformno tort reform

Global EHR Considerations Global EHR Considerations Nationally centralized and accessible Nationally centralized and accessible

patient information - acceptable pubic patient information - acceptable pubic and national interestand national interest

Federal collection of health data to assist Federal collection of health data to assist tracking of potential bioterrorism eventstracking of potential bioterrorism events

Retrieval and remote access issuesRetrieval and remote access issues System interfacing - Compatible System interfacing - Compatible

technology technology Ability to treat and monitor patients from Ability to treat and monitor patients from

remote sites including space & war zones remote sites including space & war zones - acceptable national and public interest- acceptable national and public interest

Federal EHR ConsiderationsFederal EHR Considerations

Reduction in health care costs as a Reduction in health care costs as a permissible business purposepermissible business purpose

Administrative simplificationAdministrative simplification Federal determination of Medicare Federal determination of Medicare

patients’ ‘best choice’ of medication or patients’ ‘best choice’ of medication or treatmenttreatment

Increased ability of Medicare and insurance Increased ability of Medicare and insurance carriers to perform electronic clinical carriers to perform electronic clinical performance reviews, referrals and billing performance reviews, referrals and billing audits of providers/health care entitiesaudits of providers/health care entities

Health insurance payment determinations, Health insurance payment determinations, Workers Compensation determinations, Workers Compensation determinations, Disability SSI determinationsDisability SSI determinations

Societal EHR Considerations Societal EHR Considerations

Acceptable public interestsAcceptable public interests Reduction in medical errorReduction in medical error Promotion of public health Promotion of public health Tracking of medication prescribing Tracking of medication prescribing

and use and use Identification of repetitive drug Identification of repetitive drug

procurement for addiction or saleprocurement for addiction or sale Improved health via EHR and effective Improved health via EHR and effective

home health carehome health care Professional oversightProfessional oversight

E-Tracking of quality of care and outcomeE-Tracking of quality of care and outcome

HITECH ACTHITECH ACT((HIPAA Enforcement Provisions)HIPAA Enforcement Provisions)

Applies to HIPAA Covered Entities (healthcare Applies to HIPAA Covered Entities (healthcare providers, health plans, health care clearing providers, health plans, health care clearing houses) and their Business Associates (BA)houses) and their Business Associates (BA)

Imposed breach notification requirements on Imposed breach notification requirements on covered entities and their BAs.covered entities and their BAs.

Increased an individual’s rights re: PHI.Increased an individual’s rights re: PHI. Increased enforcement and penalties for Increased enforcement and penalties for

violation of privacy and security of PHI.violation of privacy and security of PHI. Notification obligations only apply to Notification obligations only apply to

unsecured unsecured PHIPHI Breach is defined as Breach is defined as unauthorized unauthorized acquisition, acquisition,

access, use or disclosure of PHIaccess, use or disclosure of PHI

HITECH Act EnforcementHITECH Act Enforcement

HITECH Act raises the level of HITECH Act raises the level of enforcement enforcement Secretary of HHS to perform investigation Secretary of HHS to perform investigation

of cases identified with willful neglect and of cases identified with willful neglect and to impose civil money penaltiesto impose civil money penalties

State Attorney Generals permitted to bring State Attorney Generals permitted to bring civil action in federal court if they have civil action in federal court if they have reasonable belief that a citizen has been reasonable belief that a citizen has been adversely affected by a HIPAA violationadversely affected by a HIPAA violation

FTC will also have regulatory authority to FTC will also have regulatory authority to take actiontake action

HITECH EHR Grant HITECH EHR Grant Medicare Eligible ProvidersMedicare Eligible Providers

Eligible Medicare Professionals (EP)Eligible Medicare Professionals (EP) Doctor of Medicine or Osteopathy, Dental Surgery, Doctor of Medicine or Osteopathy, Dental Surgery,

Dental Medicine, Podiatry, Optometry, ChiropractorDental Medicine, Podiatry, Optometry, Chiropractor Eligible Medicaid ProfessionalsEligible Medicaid Professionals

Physicians, nurse practitioners, nurse midwives, Physicians, nurse practitioners, nurse midwives, dentist, PA in HRSA facilities dentist, PA in HRSA facilities

Must register for the incentive program- Must register for the incentive program- begins 1.1.2011begins 1.1.2011

Must have 80% of patients in certified EHR Must have 80% of patients in certified EHR technologytechnology

Must demonstrate meaningful use for the Must demonstrate meaningful use for the EHR reporting periodEHR reporting period Must meet meaningful use requirements of Stage 1Must meet meaningful use requirements of Stage 1 90 days consecutive use for year 190 days consecutive use for year 1

EHR Grant Resources and HelpEHR Grant Resources and Help

http://www.cms.gov/EHRincentivePrograms http://healthhit.hhs.gov

EHR Practice IssuesEHR Practice Issues

Practice concerns:Practice concerns: Inhibition of patient disclosure of personal Inhibition of patient disclosure of personal

information due to access to their information due to access to their information information

Chilling effect of appropriate and customaryChilling effect of appropriate and customary

‘ ‘off label’ use of medicationsoff label’ use of medications Increased potential for legal liabilityIncreased potential for legal liability Compliance with laws and policiesCompliance with laws and policies Creation of forensic evidenceCreation of forensic evidence Ease of misuse and abuse of PHI Ease of misuse and abuse of PHI

Unauthorized redisclosure concernsUnauthorized redisclosure concerns

Preliminary Legal EHR IssuesPreliminary Legal EHR Issues

Contracting issues for commercial softwareContracting issues for commercial software Legal complianceLegal compliance Risk assessmentRisk assessment Ownership Ownership Access and SecurityAccess and Security Certified SoftwareCertified Software InteroperabilityInteroperability Insurance coverage for hardware and Insurance coverage for hardware and

technology software and electronic technology software and electronic practicepractice

EHR Practice IssuesEHR Practice Issues

Practice concerns:Practice concerns: Emailed PHI is vulnerable to:Emailed PHI is vulnerable to:

Breach of confidentiality Breach of confidentiality HIPAA/policy violationHIPAA/policy violation Incorrect party/employer viewingIncorrect party/employer viewing Theft for commercial use – cyber piratesTheft for commercial use – cyber pirates Common cause of legal action Common cause of legal action

EHR Practice Issues EHR Practice Issues

Practice Concerns:Practice Concerns: HIPAA Security Rules and HITECH ACT HIPAA Security Rules and HITECH ACT

compliancecompliance EHR format reduces provider critical EHR format reduces provider critical

assessmentassessment Forces choice of displayed options onlyForces choice of displayed options only

Charting errors difficult to correct and may Charting errors difficult to correct and may stay with patient’s record “forever” stay with patient’s record “forever”

Increased ability to perform clinical Increased ability to perform clinical performance reviews, referrals and billing performance reviews, referrals and billing audits of providers/entitiesaudits of providers/entities

Medication prescribing controlled by programMedication prescribing controlled by program Any documentation omissions, errors, billing Any documentation omissions, errors, billing

claim irregularities or red flags detected by claim irregularities or red flags detected by computer screeningcomputer screening

Potential Legal ActionsPotential Legal Actions

Civil actionsCivil actions Negligence –malpractice, failure to Negligence –malpractice, failure to

inform, warn or protect, breach of duty of inform, warn or protect, breach of duty of care or standard of carecare or standard of care

Fraud, misrepresentation, falsifying Fraud, misrepresentation, falsifying encounter information (insurance fraud)encounter information (insurance fraud)

Medical record or patient consent State Medical record or patient consent State laws violationslaws violations

Breach of ContractBreach of Contract Breach of fiduciary dutyBreach of fiduciary duty

Defamation Defamation Breach of confidentiality & invasion of Breach of confidentiality & invasion of

privacyprivacy Federal consent laws and regulationsFederal consent laws and regulations Commercial use of PHI without consentCommercial use of PHI without consent

Potential Legal ActionsPotential Legal Actions

Criminal actionsCriminal actions Health care fraud is a felonyHealth care fraud is a felony

Patient encounter documentation Patient encounter documentation Billing, coding and claims submissionBilling, coding and claims submission Proof of intent no longer neededProof of intent no longer needed

Practicing medicine/nursing without Practicing medicine/nursing without a license via email or telemedicinea license via email or telemedicine

Potential Legal ActionsPotential Legal Actions Administrative actionsAdministrative actions

Federal or State regulatory violations can Federal or State regulatory violations can lead to civil and/or criminal actions - lead to civil and/or criminal actions - potential fines, penalties, restitution, potential fines, penalties, restitution, imprisonment, exclusion as a imprisonment, exclusion as a Medicare/Medicaid provider and loss of Medicare/Medicaid provider and loss of professional licenseprofessional license

Filing a complaint with OCR, HHS, CMS, DOJ, OIG, Filing a complaint with OCR, HHS, CMS, DOJ, OIG, EEOC, FBI, USAG, or State AG officeEEOC, FBI, USAG, or State AG office

Filing a professional grievance with the Filing a professional grievance with the professional Boardprofessional Board

Noncompliance with documentation principles or Noncompliance with documentation principles or professional guidelinesprofessional guidelines

Professional Board investigation into violations of Professional Board investigation into violations of Professional Rules of Conduct and Practice ActsProfessional Rules of Conduct and Practice Acts

Filing a complaint with JCAHO or State Department Filing a complaint with JCAHO or State Department of Healthof Health

EHR Increases Practice Liabilities EHR Increases Practice Liabilities

Use of electronic forensic firms to Use of electronic forensic firms to reveal ‘deleted’ data, metadata and reveal ‘deleted’ data, metadata and other e-evidenceother e-evidence

Greater potential for significant Greater potential for significant damages with the EHRdamages with the EHR

Ease & Speed of disclosureEase & Speed of disclosure Breadth of potential disclosureBreadth of potential disclosure Reproduction of initial errorReproduction of initial error Identification and creation of pattern of Identification and creation of pattern of

errorserrors HITECH Act gives everyone in a medical HITECH Act gives everyone in a medical

office personal liabilityoffice personal liability

Potential Consequences Potential Consequences of Regulatory Violationsof Regulatory Violations

Loss of Professional LicenseLoss of Professional License Loss of EmploymentLoss of Employment Legal Actions Against you, your Legal Actions Against you, your

practice or your employerpractice or your employer Fines Fines –– you, your practice or your you, your practice or your

employeremployer Exclusion from Medicare/Medicaid as a Exclusion from Medicare/Medicaid as a

ProviderProvider Personal Property & Asset ForfeiturePersonal Property & Asset Forfeiture PrisonPrison

Steps to Minimize EHR Related Steps to Minimize EHR Related LiabilitiesLiabilities

Perform a technology risk assessment Perform a technology risk assessment Assess computer security and file accessAssess computer security and file access Identify security of electronic Identify security of electronic

communications communications EHR, Email, PDA, Texting, WebsiteEHR, Email, PDA, Texting, Website

Identify any current noncompliant Identify any current noncompliant physicians, staff or office practicesphysicians, staff or office practices

Policy regarding taking laptops homePolicy regarding taking laptops home Review electronic vendor contractsReview electronic vendor contracts

HIPAA Privacy & Security compliance HIPAA Privacy & Security compliance LiabilityLiability Warranty and Fitness for useWarranty and Fitness for use

Reducing Practice LiabilityReducing Practice LiabilityTechnology Risk AssessmentTechnology Risk Assessment

Perform a risk assessment prior to notification if Perform a risk assessment prior to notification if there is an unauthorized breach or disclosurethere is an unauthorized breach or disclosure What was the type and amount of PHI involved?What was the type and amount of PHI involved? Determine if the impermissible disclosure compromised Determine if the impermissible disclosure compromised

the privacy or security of the PHI and/or the individual the privacy or security of the PHI and/or the individual Are there any applicable exceptions?Are there any applicable exceptions? What, if any, notification requirements applyWhat, if any, notification requirements apply

Time runs from when breach is discoveredTime runs from when breach is discovered These reporting exceptions are considered These reporting exceptions are considered

controversial and HHS is currently considering controversial and HHS is currently considering revising or repealing these criteria by the end of revising or repealing these criteria by the end of 20102010 To remove the ‘harm’ determination from the breaching To remove the ‘harm’ determination from the breaching

entity and increased patient protectionentity and increased patient protection

Plan to Minimize Potential Plan to Minimize Potential ViolationsViolations

Create HIPAA compliant policies and Create HIPAA compliant policies and procedures for your workplaceprocedures for your workplace

Inform staff that violations can be Inform staff that violations can be grounds for immediate terminationgrounds for immediate termination

Obtain proper consent from patientsObtain proper consent from patients Discuss or disclose PHI in private and Discuss or disclose PHI in private and

appropriate areasappropriate areas DonDon’’t leave a computer, laptop, PDA, t leave a computer, laptop, PDA,

cell phone with PHI unattended or cell phone with PHI unattended or unlockedunlocked Policy regarding portable devices containing Policy regarding portable devices containing

EHREHR

Plan to Minimize Potential Plan to Minimize Potential ViolationsViolations

Confirm compliance efforts required Confirm compliance efforts required by HIPAA, related laws and by HIPAA, related laws and regulationsregulations

Limit staff access to PHI with Limit staff access to PHI with passwords, biometrics, etc.passwords, biometrics, etc.

Be sure EHR includes the ability to Be sure EHR includes the ability to retrieve PHI and a trail of any retrieve PHI and a trail of any disclosuresdisclosures

Have a signed Business Associate Have a signed Business Associate Agreement with vendors, lawyers, Agreement with vendors, lawyers, etc. prior to releasing PHIetc. prior to releasing PHI

Post, make available and update the Post, make available and update the NPPNPP

Work with an experienced health Work with an experienced health lawyerlawyer

26

E-Health ResourcesE-Health Resources

National Coordinator for National Coordinator for Health Information Health Information Technology of HHS Technology of HHS (ONC) – (ONC) – http://healthit.hhs.govhttp://healthit.hhs.gov

CMS Doctors’ Office CMS Doctors’ Office Quality Information Quality Information Technology (DOQ-IT)Technology (DOQ-IT)

The President's The President's Information Technology Information Technology Advisory Committee – Advisory Committee – June 2004June 2004

Certification Certification Commission for Health Commission for Health Information Technology Information Technology – www.cchit.org– www.cchit.org

ARRA HIT Grants – ARRA HIT Grants – www.grants.govwww.grants.gov

Healthcare Information Healthcare Information and Management and Management Systems Society –Systems Society –www.himss.orgwww.himss.org

Office for the Office for the Advancement of Advancement of Telehealth (OAT) – Telehealth (OAT) – telehealth.hrsa.govtelehealth.hrsa.gov

American Health American Health Information Community Information Community of HHSof HHS

Patient Privacy Rights – Patient Privacy Rights – www.patientprivacyrighwww.patientprivacyrights.orgts.org

27

E-Health Resources E-Health Resources Telemedicine Telemedicine

Information Exchange - Information Exchange - tie.telemed.orgtie.telemed.org

Electronic Privacy Electronic Privacy Center –www.epic.orgCenter –www.epic.org

Association of Association of Telehealth Service Telehealth Service Providers – Providers – www.atsp.orgwww.atsp.org

International Society International Society for Telemedicine – for Telemedicine – www.isft.orgwww.isft.org

Center for Telemedicine Center for Telemedicine Law – www.ctl.orgLaw – www.ctl.org

American Medical American Medical Association – www.ama-Association – www.ama-assn.orgassn.org

Dept. of Health & Dept. of Health & Human Services – HIT – Human Services – HIT – www.hhs.gov/recovery/repwww.hhs.gov/recovery/reports/plans/hitorts/plans/hit

American Medical American Medical Informatics Association Informatics Association - www.amia.org- www.amia.org

American Health American Health Information Information Management Management Association - Association - www.ahima.orgwww.ahima.org

American Telemedicine American Telemedicine Association – Association – www.atmeda.orgwww.atmeda.org

Office of Rural health Office of Rural health Policy – Policy – www.ruralhealth.hrsa.gwww.ruralhealth.hrsa.govov

Federal Governance of the Federal Governance of the EHREHR

PPACA – Patient PPACA – Patient Protection and Protection and Affordable Care ActAffordable Care Act

HIPAA – Privacy and HIPAA – Privacy and Security Rules & HITECH Security Rules & HITECH ActAct

ARRA & HITECH ActARRA & HITECH Act Office of the National Office of the National

Coordinator of Health Coordinator of Health Information Technology Information Technology (ONC)(ONC)

Certification Commission Certification Commission of Health Information of Health Information Technology (CCHIT) Technology (CCHIT) www.cchit.orgwww.cchit.org

Social Security Act - Social Security Act - Medicare\MedicaidMedicare\Medicaid

E-Prescribing Act of 2005E-Prescribing Act of 2005 Health Care Fraud/False Health Care Fraud/False

Claims Act (FCA)Claims Act (FCA) Prohibited Physician Prohibited Physician

Referral Laws – StarkReferral Laws – Stark Referral linked on E-Referral linked on E-

RxRx Antikickback StatuteAntikickback Statute Workers Compensation Workers Compensation Freedom of Information Freedom of Information

Act (FOIA)Act (FOIA) Home Land SecurityHome Land Security Public Health lawsPublic Health laws

Substance Abuse Substance Abuse Treatment recordsTreatment records

Disease and abuse Disease and abuse reportingreporting